Understanding

Virtual LANs
Agenda

 What Is a VLAN?
 How Does it Work?

 VLAN Technologies
 Constraints of Shared LANs
• Users are physically bound
• Subnets are tied to hubs
• Users are grouped by
location
• No security on segment
• Addressing is constrained
• Moves require address
changes
• Router ports are expensive
 Virtual LANs
VLAN 1
VLAN 2
VLAN 3 • One broadcast domain
within a switch
Server Farm
• VLANs help manage
broadcast domain
• Can be defined on
port groups, users, or
protocols
• LAN switches and
network management
software provide a
mechanism to create
VLANs
 Remove the Physical
Boundaries
Engineering Marketing Acctg.

Floor 3

Floor 2

Floor 1

 Group users by department, team, or application

 Routers provide communication between VLANs
VLAN Benefits
 Reduced administrative costs
 Simplify moves, adds, and changes
 Efficient bandwidth utilization
 Better control of broadcasts
 Improved network security
 Separate VLAN group for high-security users
 Relocate servers into secured locations
 Scalability and performance
 Microsegment with scalability
 Distribute traffic load
VLAN Components
Switches, Routers, Servers, Management

Membership Switches—Membership
Establishment
determination
Trunking—Common
Communication
Across Fabric VLAN exchange
Multiprotocol routing—
Inter-VLAN Inter-VLAN exchange
Communications Servers—Multi-VLAN
Server
communication
Communication
Establishing VLAN Membership
Approaches Can Vary Performance
Port-Based
 Port driven
 MAC address VLAN 1 Layer 3-Based
driven VLAN 2

 Network address VLAN 3

driven MAC-Based Subnet

198.21.xx
Subnet
198.22.xx

 Application type VLAN 1 VLAN 2

driven MAC MAC

Addresses Addresses

VLAN 1 VLAN 2
 Multiple VLANs per Port
Does This Make Sense in Switched/Shared LANs?
Mac 1 Mac 7
Mac 2 Mac 8
Mac 3 Mac 9

Broadcast
Outgoing
Hub Hub Broadcast
Incoming

Mac 12
Mac 6
Mac 5 Mac 11
Mac 4 Mac 10

 Requested when multiple clients are attached

 Requires address lookups
 Cannot filter broadcasts on shared segment
 Results in lots of administration, little return
 Communicating
Between VLANs
Two Physical Topology Approaches
Logical
Communication
 Layer 3 links
VLANs together
VLANs 1, 2, 3
 Adds additional security
and management
Cisco Internetworking  Logical links conserve
Software
physical ports
Physical Link  Multimode, depending
per VLAN
on protocol
VLAN 3
VLAN 2
 Controls access by VLAN
VLAN 1  Up to 255 VLANs per router
 Server Connectivity
Server Farm

C2900

Multiple Tagging
to Each Server C2820
C5000

VLAN
Cisco C5000 1 VLAN
7500 2 VLAN
3
 Intelligent NICs decode tagging
 Supported by industry (Intel, CrossPoint)
 Maximizes performance, flexibility
VLAN Technologies
 Inter-Switch Link

 Interconnects multiple switches and

maintains VLAN information as
traffic goes between switches
Inter-Switch Link
VLAN Tag Added
at Incoming Port
(ISL) Carries
VLAN Identifier
 Establishes membership
through ASICs
 Labels each packet as received
(“packet tagging”)
 Eliminates lookups and tables
 Transports multiple VLANs
across links
 Protocol, endstation-independent
VLAN Tag Stripped
by Forwarding Port • 802.10  Easily managed
• ISL
• 802.1Q
• LANE
 VLAN Standardization
Packet Tagging as Common VLAN Exchange
Level-1 Explicit Tagging
DES SRC FCS DES SRC FCS
DES SRC FCS

SRC DES

Data
VLAN ID

 Wide vendor endorsement for 802.1Q tagging

standard
 Cisco supports across Fast Ethernet, Gigabit uplinks
 Cisco maps ISL to 802.1Q dynamically with VTP
 VLAN Standard
Implementation
Typical Environment
Cisco Vendor X
 Cisco environment Domain Domain
uses ISL
 Vendor environment 802.1Q

uses an existing, yet

different packet tagging
Si Si

method
 Interdomain

communication based ISL ?

on 802.1Q standard
Company ABC
 Virtual Trunk Protocol (VTP)
 VLAN administration and
configuration protocol VLAN 1

 Reduces VLAN setup and

administration VLAN 2

ISL ISL
 Eliminates configuration errors
 Decreases network manager’s
time adding and managing LANE LANE

VLANs ATM
 Maps between ISL and 802.1q Fabric

LANE
 Maintains security between VLANs

802.1Q
 1900 Series (1)
(config)#hostname uniti_1900
uniti_1900(config)#vlan 2 name sales
uniti_1900(config)#vlan 3 name marketing
uniti_1900(config)#exit
uniti_1900#sh vlan

VLAN Name Status Ports

--------------------------------------
1 default Enabled 1-12, AUI, A, B
2 sales Enabled
3 marketing Enabled
1002 fddi-default Suspended
1003 token-ring-defau Suspended
1004 fddinet-default Suspended
1005 trnet-default Suspended
--------------------------------------
[ output cut]
 1900 Series (2)
uniti_1900(config)#int e0/2
uniti_1900(config-if)#vlan-membership ?
dynamic Set VLAN membership type as dynamic
static Set VLAN membership type as static
uniti_1900(config-if)#vlan-membership static ?
<1-1005> ISL VLAN index
uniti_1900(config-if)#vlan-membership static 2
uniti_1900(config-if)#int e0/3
uniti_1900(config-if)#vlan-membership static 3
uniti_1900(config-if)#
uniti_1900 #sh vlan

VLAN Name Status Ports

--------------------------------------
1 default Enabled 1, 4-12, AUI, A, B
2 sales Enabled 2
3 marketing Enabled 3
1002 fddi-default Suspended

[output cut]
 1900 Series (3)
uniti_1900(config)#int f0/26
uniti_1900(config-if)#trunk ?
auto Set DISL state to AUTO
desirable Set DISL state to DESIRABLE
nonegotiate Set DISL state to NONEGOTIATE
off Set DISL state to OFF
on Set DISL state to ON
uniti_1900(config-if)#trunk on
uniti_1900(config-if)#
uniti_1900 #sh trunk ?
A Trunk A
B Trunk B
uniti_1900 #sh trunk a
DISL state: On, Trunking: Off, Encapsulation type: Unknown
uniti_1900 #sh trunk b
DISL state: Off, Trunking: Off, Encapsulation type: Unknown
uniti_1900 #
 1900 Series (4)
uniti_1900(config)#vtp ?
client VTP client
domain Set VTP domain name
password Set VTP password
pruning VTP pruning
server VTP server
transparent VTP transparent
trap VTP trap
uniti_1900(config)#vtp server
uniti_1900(config)#vtp domain uniti
uniti_1900(config)#vtp password cisco
uniti_1900(config)#
 1900 Series (5)
uniti_1900 #sh vtp
VTP version: 1
Configuration revision: 4
Maximum VLANs supported locally: 1005
Number of existing VLANs: 7
VTP domain name : uniti
VTP password : cisco
VTP operating mode : Server
VTP pruning mode : Disabled
VTP traps generation : Enabled
Configuration last modified by: 192.168.11.10 at 00-00-0000
00:00:00
uniti_1900 #
 2950 Series (1)
uniti_2950#vlan database
uniti_2950(vlan)#vlan 1 name sales
A default VLAN may not have its name changed.
uniti_2950(vlan)#vlan 2 name marketing
VLAN 2 added:
Name: marketing
uniti_2950(vlan)#vlan 3 name accounting
VLAN 3 added:
Name: accounting
uniti_2950(vlan)#apply
APPLY completed.
uniti_2950(vlan)#
 2950 Series (2)
uniti_2950#sh vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
… , Fa0/22, Fa0/23, Fa0/24
2 marketing active
3 accounting active
10 vlan10 active
20 vlan20 active
30 vlan30 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
 2950 Series (3)
uniti_2950#conf t
Enter configuration commands, one per line. End with CNTL/Z.
uniti_2950(config)#int f0/2
uniti_2950(config-if)#switchport access vlan 2
uniti_2950(config-if)#int f0/3
uniti_2950(config-if)#switchport access vlan 3
uniti_2950(config-if)#^Z
 2950 Series (4)
uniti_2950#sh vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/4, Fa0/5, Fa0/6
…, Fa0/23, Fa0/24
2 marketing active Fa0/2
3 accounting active Fa0/3
10 vlan10 active
20 vlan20 active
30 vlan30 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
 2950 Series (5)
uniti_2950(config)#int f0/24
uniti_2950(config-if)#switchport mode trunk
uniti_2950#sh run

[output cut]
!
interface FastEthernet0/2
switchport access vlan 2
no ip address
…
interface FastEthernet0/24
switchport mode trunk
no ip address
!
[output cut]
2950 Series (6)
uniti_2950(config)#vtp mode ?
client Set the device to client mode.
server Set the device to server mode.
transparent Set the device to transparent mode.
uniti_2950(config)#vtp mode server
Device mode already VTP SERVER.
uniti_2950(config)#vtp domain uniti
Changing VTP domain name from NULL to uniti
uniti_2950(config)#vtp password cisco
Setting device VLAN database password to cisco

uniti_2950#sh vtp ?
counters VTP statistics
password VTP password
status VTP domain status
 2950 Series (7)
uniti_2950#sh vtp status
VTP Version :2
Configuration Revision :2
Maximum VLANs supported locally : 64
Number of existing VLANs : 10
VTP Operating Mode : Server
VTP Domain Name : uniti
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x80 0x44 0xF2 0x33 0x2B 0x87 0x56 0x80
Configuration last modified by 0.0.0.0 at 3-1-93 00:10:15
Local updater ID is 0.0.0.0 (no valid interface found)
uniti_2950#
 Inter-VLAN Routing
router(config)#int f0/0.1
router(config-subif)#ip address 192.168.1.1 255.255.255.0
router(config-subif)#encapsulation dot1q vlan#

router(config)#int f0/0
router(config-if)#no ip address
router(config-if)#no shut
router(config-if)#int f0/0.1
router(config-subif)#ip address 192.168.1.1 255.255.255.0
router(config-subif)#encapsulation isl 1
router(config)#int f0/0.2
router(config-subif)#ip address 192.168.2.1 255.255.255.0
router(config-subif)#encapsulation isl 2
Summary

 VLANs enable logical (instead of

physical) groups of users on a switch
 VLANs address the needs
for mobility and flexibility
 VLANs reduce administrative overhead,
improve security, and provide more
efficient bandwidth utilization